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[57] ABSTRACT 

An ejectrojiic system^thalTemains jisa^^ power-on 
ungljtsuserjs^recogm^ The electronic system includes a 
chost:processor'andT"deactivaH6nIcifcuit:coupJedJo_the_host 
•^processofTThe deactivation circuit pTaceslfie^ host process 
infej^p^inoj^rath^/statelintt^^^ In one 

embodiment7tHibl]eactivalion~drcuil"is a'se^^ processor 
coupled to a reset input of the host processor The security 
processor includes a processing unit and an internal memory 
unit to contain software required by the host processor to 
complete a booting procedure. 

17 Claims, 5 Drawing Sheets 



RESET 



100 



n 

140 



n 

145 



n 

115 



CHIPSET 



r 



130 



1 



165 



120 r 125 



u 

-* — ^ 



110 



MAIN 
MEMORY 
ELEMENT 



160 

U 



I 



BUS 



INPUT 

^omcE--^ 
oimmER 



INPig-] 
DEVIWE, 




SYSTEM 

POR 
ORCUIT 



155 



03/25/2004, EAST Version: 1.4.1 



U.S. Patent 



Nov. 21, 2000 Sheet 1 of 5 



6,151,678 




INPUT 
DEVICE 
WROLLER 




INPUT 
DEVICE 









03/25/2004, EAST Version: 1.4.1 



U.S. Patent 



Nov. 21, 2000 



Sheet 2 of 5 



6,151,678 




03/25/2004, EAST Version: 1.4.1 



U.S. Patent 



Nov. 21, 2000 



Sheet 3 of 5 



6,151,678 




03/25/2004, EAST Version: 1.4.1 



U.S. Patent Nov. 21, 2000 sheet 4 of 5 6,151,678 



i 



7S 



1-^ 



tr: 



03/25/2004, EAST Version: 1.4.1 



U.S. Patent 



Nov. 21, 2000 



Sheet 5 of 5 



6,151,678 




SECURITY 
ROCESSOR 




^ fc: 











03/25/2004, EAST version: 1.4.1 



BACKGROUND OF THE INVENTION 



6,151,678 

1 2 

ANTI-THEFT MECHANISM FOR MOBILE FIG. 2 is a perspective view of the securily processor. 

COMPUTERS FIG. 3 is a block diagram of the internal circuitry of the 

security processor of FIGS. 1 and 2. 

FIG. 4 is a block diagram of the internal circuitry of the 

1. Field of the Invention 5 security processor of FIGS. 1 and 2. 

The present invention relates to the field of data security. piG. 5 is a second embodiment of the present invention. 
More particularly, this invention relates tocaimecbanism thatiD 

Cdisables-th^perationrof anTelectroriicrsyst,^ DESCRIPTION OF THE PREFERRED 

<^^^gQL2iedrt EMBODIMENT 

2. Description of Related Art The present invention relates to circuitry and its corrc- 
Over the last few years, mobile computers (e.g., laptop, spending method of p lacin g a n electro nic system into an 

hand -held, etc.) have become one of the fastest growing inoperative state untinits^user is recogni^d. In an inopera- 

computer-related products. One reason is that mobile com- tive state, the:electronic^ystem:is:incapaye^f-ftinctioning 

puters are highly versatile because they are implemented ^asimlended— A^deactivationjcira^ 

with one or more battery packs. As a result, mobile com- ^;;release_of^ny BIQS _ii§lm^ 

puters do not require an external power source for a pro- Electronic system iiM^theji^ 

longed period of time. This allows business persons to ^^^beenjecognized.'^ In one embodiment, the deactivation cir- 

increase their productivity when traveling, visiting cuit includes a processor implemented with boot software 

customers, attending off-site meetings, reviewing and draft- including Basic Inpul/Oulput System (BIOS) instructions, 

ing patent applications, and the like. This processor is referred to herein as a "security processor". 

Of major concern, however, is that mobile computers are Herein, while certain details are set forth in order to 

vulnerable to theft due to their commercial value and their provide a thorough understanding of the present invention, 

exposure to insecure environments such as cars, hotel rooms it is apparent to a person of ordinary skill in the art that the 

and airport lobbies. Although stored content may have value 25 present invention may be practiced through many embodi- 

to a business competitor, mobile computers usually are ments other that those illustrated. In other instances, well- 

stolen for their commercial value as a computer. known circuits are not set forth in detail in order to avoid 

Currently, there exist a number of securily mechanisms unnecessarily obscuring the present invention, 

that are marginally effective. However, these mechanisms In the following description, terminology is used to dts- 

are still vulnerable to component or device replacement. For 30 cuss certain features of the present invention. For example, 

example, one type of conventional security mechanism an "clectroriic-s ystcm— includcs^any-tvpc-oL-computer,'^ 

involves the use of password software, which is normally especiaUy'a~mol>Ue^6mputeFsuc 

executed after a central processing unit (CPU) of the mobile computer,-asj:weU^as^y-^eyice^^posse^i^^ 

computer has been powered-up and has fetched macro- functionality. A "signal line" is broadly defined as one or 

instructions from Basic Input/Output System (BIOS). 35 more information-carrying mediums (electrical wires, fiber 

Normally, BIOS resides in a Read Only Memory (ROM) optics, cables, etc.) or wireless communications through 

component in close proximity to the CPU. l^ese BIOS established techniques such as infrared (IR) and radio fre- 

instructions enable the CPU to properly execute password quency (RF) signaling. 

software. After correctly inputting a previously chosen In addition, the term "recognize" (as well as other tenses) 

password, a user is allowed access to stored contents of the 40 is defined as a condition in which certain characteristics of 

mobile computer. Unfortunately, this security mechanism an intended user have been authenticated or identified, 

can be easily circumvented by replacing the ROM compo- Under an authentication scheme, the identity of the intended 

nent containing BIOS or perhaps the hard drive containing user is known. Thus, data pertaining to at least one charac- 

the password software. teristic of the user (referred to as "character data") is 

Hence, it is contemplated that the integration of a security 45 retrieved and directly compared with incoming data. This 

mechanism, implemented within each mobile computer to character data may be any data type, including biometric or 

halt its computer functionality until an authorized user is alphanumeric, pre-stored within the electronic system or 

recognized, would discourage mobile computer theft. within another device in communication with the electronic 

system. In contrast, under an identification scheme, the 

SUMMARY OF THE INVENTION ^^^^^^^y the user is unknown. Thus, if multiple users are 

The present inve ntion relatesno?Sn^lectronic:system^t&at^ authorized to use the electronic system, the incoming data is 

j;em5ins dis^bled^^^ compared in a successive manner with character data of all 

The elecTronic ^tem includes^^iost-proeessoF and a authorized users until (i) a successful comparison is 

deactivationj^i rcuit cou p led^to the~ho st processor. The detected, or (ii) all comparisons with access data has been 

deactivaiorTciircuit places the host processormtoTn inop- 5S completed. If the later condition occurs, the electronic 

erative state until the user is recognized. In one embodiment, system continues to remain in its inoperative state, 

this inoperative state is achieved by preventing the host Referring to FIG. 1, a first illustrative embodiment of an 

processor firom receiving instructions. electronic system 100 is shownZinlwhich^electronic system^ 

RRTFF HPSPRIPTinM OP THP HRAWINH^ ^■^is^placedliHtoI^ifio^l^ 

BRIEF DESCRIPnON OF THE DRAWINGS Q^nizedrAs shown, electronic system 100 (e.g., a mobile 

The features and advantages of the present invention will compiiter) ineludesp^^t^leasj^neahoslj^^^^ 105 and a 

become apparent from the following detailed description of ^ain" mempr)?^^^ 110 (e.g., non-volatile or volatile 

the present invention in which: memory sucfi aTdynamicrandom access memory "DRAM" 

FIG. 1 is a first embodiment of the present invention or static random access memory "SRAM") coupled together 

where the BIOS flash memory resides inside a security 65 by a chipset 115 /Ilie chipset 115 operates as an interface for 

processor implemented as a coprocessor interfaced to the a host bus 120, a memory bus 125 and a bus 130 in order to 

PCI bus. support communications between devices coupled to these 
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buses 120, 125 and 130. The bus 130 may be implemented signals. These leads 2103-210„ are in the form of pins (as 

as a single bus or as multiple buses interconnected through shown), solder balls, or any other type of interconnect, 

bridge circuitry. Bus 130 may be constructed in accordance One of these leads (e.g., lead 210i) is configured as a 

with a number of well-known bus architectures, including Reset input. Upon lead 210j receiving an active power-on 

but not limited or restricted to a Peripheral Component 5 reset (POR) signal from a system FOR circuit 155, security 

Interconnect (PCI) bus, an Accelerated Graphics Port (AGP) processor 150 initializes its internal circuitry as well as one 

bus, an Industry Standard Architecture (ISA) bus. an or more selected peripheral devices such as input device 

Extended ISA (EISA) bus, or an any another type of bus controller 140 of FIG. 1. This enables security processor 150 

architecture. to receive character data from input device 145 of FIG. 1 for 

In this embodiment, at least one peripheral device 135 is ^0 user recognition, 

coupled to bus 130. The peripheral device 135 mayJncMe Referring now to FIG. 3, a more-detailed block diagram 
an input device controUer 140. The inpu t^devi^ contro llerj of a first illuslrative-erabodiment.oLsecurity_processor_150 

140 is coupled to an input device 145. ^Fhe input device 145 js shown.^^ecurity^ processor 150 includes a bus interface 

may include an alphanumeric keyboard or keypad, a cursor fumt 220,'a"priSce^ing unit 230, and an ihternal memory unit 




retinal^scan, o1f other characteristic of an intended user.^^V a\hus7(e:g~=busr430 of FIG.^l)7 For example, bus interface 

As,furtber shown in^thejllustrative embodiment of^FIG._ unit~220-is~capable"df receiving and routing information 

l,(_a dea<5ivati6rt wcmf (4.g.,^securit)[ processor)^ is_/^ placed on bus 130 (of FIG. 1) and addressed for security 

coupled to bus 130 of electronic system 100. In- general, processor 150. Likewise, bus interface unit 220 is capable of 

security processor 150 is.anelectroliic device that is capable outputting inform ation^from processing unit 230 onto bus 

of preventing host processor-105 from receivmg insthictions 130 of FIG. l>Internal~raemory unit -240 includes non-^ 
normaliy execut6d^during^aiboot:pjocediire''(referred_^^ vvolatile-memory to contaiPboot software including BIOS^ 

"bqqt_instructipns)y^mrilJhe u^ of the^lectronic systeniy^^ instructions and perhap^JUthentication and/or identifications 

IJp, is„ recognized (authenticated oFidentified): These boo^ software programsf^ ^ — 

instructions may include BIOS instructions which is usually ^RefeFring nowjoTIG, 4, the security processor 150 may 

part of the Operating System (OS) of electronic system 100. be constructed'^5l^inglJ^integrated-circuit'(IC)rinultiple 

The BIOS instructions enable host processor 105 to perform iCs placed in a single package or multiple ICs {jlaced on J 

of a variety of tasks such as initialization of hardware, substrate such as a motherboard for example. In the event 

diagnostics, loading the operating system kernel from mass that multiple ICs are used, security processor 150 may be 

storage, and routine I/O functions. constructed with a first IC 400 featuring processing logic 

Referring still to FIG. 1, in contrast with normal mobile and a second IC 410 featuring a memory as shown in FIG. 

computer platforms in which the host processor 105 was 4. The memory includes non-volatile memory although 

reset by system power-on reset (POR) circuit455 coupledip volatile memory may be used. These ICs 400 and 410 are 

a,Reset lead 165 of host processor JOSf h^st processorAOSi} interconnected by a bus 420 and packaged within a multi- 

/is reserb)r^^nt>[^pTOce^ a HOST chip package 430. 

RESET signal to Reset lead 165. More specificajly, the tRc|errmg-now^to_nG.^5,_a^<XLnd illustrative embodi- 
presentjnv^ntion may be configured 40 ,ment^for-tempbrarily disabling normaToperations-of-^an 
cdardjnterconnections between host-processor 105 and sys::^ ^electronic^systemjSQOjis:^^ system 5(8) 

tern FOR circuit 155 and interconnecting systenTTORH? includes at least one host processor 505 and. a^mainmemoryD 

circuit J^5jo„the„ResetJnput of security processor ISO^s element.510_coupied together by a~chipsel^515^ actingas.an 

(shown} In addition, a dedicated reset signal line 160 is interface-for a host bus 520, a memory bus 525 and a bus) 

interconnected between a control pin of security processor 530. Bus 530 provides a communication path for at least one 
150 and the Reset lead 165 of host processor 105. /(in put da ja,devic e 540^ fyia an input device controller 535) 

When power is initially supplied to electronic system 100, and"rsecunfy-pro^s^ 
security processor 150 will internally execute instructions As shown, security processor 545 is coupled to bus 530 
for initialization purposes and begin execution of recogni- and to a system POR circuit 550. The system POR circuit 
tion software (namely, authentication and/or verification 50 550 signals security processor 545 when a power-up con- 
software). After_po\ver-upj:^d2inWalization^^secm^ dition occurs, normally by the user turning on electronic 
cesser 150 pj^luogs'Tand . continupusly^^ system 500. Although not shown, security processor 545 
HOSjj^ESET.signalover resetrsignaH includes a processing unit and internal memory. The internal 
has been recognized. Upon user recognition^. reset signaKline memory contains boot software and reset software. The boot 
160 is;dea'ctivated to allow host processor 105 to commence 55 software is capablepf being executed by the processing unit 
fetching booTinstnictions'lordedTn security p^ of security processor 545 at power-up in order to initialize 
In this embodinicnt, the BIOS instructioins are implemcnted^; security processor 545 and to support communications 
within -security processorllSOrtorcosurc-tfaai-requ csts^for^ between data input device 540 and security processor 545. 
BfOS^instmctions^y-host proc^oFTlOSlarOeniec^^ The reset software is executed by the security processor 545 
user-re.cogriition-an3:to:preveot^ircumi^^ 60 response to a request by host processor 505 for the boot 
cuitry^hrougMiscomirctionJ^^ software. The reset software causes security processor 545 

Referring to FIG. 2, a perspectiveView of security pro- lo transmit a sequence of instructions (e.g.. "NO OP" 

cessor 150 is shown. The security processor 150 includes a instructions, jump instructions, etc.) to host processor 505 in 

package 200 which protects its internal circuitry from harm- order to keep it in an inoperative slate until the user of the 

ful environmental conditions. 'Ilie package 200 includes a 65 electronic system 500 is recognized, 
plurality of leads 2103-210„ ("n" being a positive whole In another embodiment (not shown), the boot software is 

number) to receive and output address, data and control located on a substrate (e.g., printed circuit board "PCB") 
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either oo the same substrate or od another substrate. Regard- 
less of its location in the electronic system, as long as the 
security processor has access lo and exclusive control of the 
boot software prior to start-up and the host processor issuing 
requests for boot instructions to security processor, the 5 
security processor still would be able to preclude the host 
processor from obtaining access to boot instructions of the 
boot software. Access to the boot instructions would be 
released only upon successful authentication or identifica- 
tion of the user by the security processor. 10 

While this invention has been described with reference to 
illustrative embodiments, this description is not intended to 
be construed in a limiting sense. Various modifications of the 
illustrative embodiments, as well as other embodiments of 
the invention, which are apparent to persons skilled in the art 
to which the invention pertains are deemed to lie within the 
spirit and scope of the invention. 

What is claimed is: 

1. An electronic system comprising: 
a host processor; 
a power-on reset circuit; and_ 

a Reactivation eircuitjcx)upled to thelbosTprocessor and 
^-the^power-on'lreset circuit, the deactivation circuit to 
prevent the host- processor from receiving instructions 25 
by^continuously oulputling an active reset signal to the 
^ost pr^^^dr in response to"a~ system power-on signal 
^by::the-power-on reset ^rcui], the active reset signal 
places the host processor in an inoperative state until a 
user of the electronic system is recognized upon which 30 
.thc-rcsct-signal is deactivatcdrj 

2. The electronic sysle tiT of clai m 1, wherein the instruc- 
tions include Basic Input/Output System (BIOS) instruc- 
tions required during a boot procedure of the electronic 
system. 35 

3. The electronic system of_claim 1, wherein Jbe^deacti- 
vation circuitjincludes^a ^ ea^ ^ 

cessing^unit and an ifir?rSaPmemory ^ilDit; r:tljef internal 

m'emory-unit'containing^^ftwai^^^used 

system during a boot procedure. 40 

4. The electronic system of claim 3, wherein the software 
contained within the internal memory unit includes Basic 
Input/Output System (BIOS) instructions. 

5. The electronic system of claim 3, wherein the deacti- 
vatioiTcircuit ftirthcr includes a signal linc"couplecl"to"ani 45 
output of the security processor and a Reset input of the host 
prbcessor,ahe.signal line, to transfer-the reset signal. 

6. The electronic system of claim 3, wherein thejiost 
processor fetches boot instructions from the security proj 
cessor^after the Teset signal has been -deactivated. J 50 

7. The electronic system of claim 1, wherein the deacti- 
vation circuit includes a security processor including 

a logic integrated circuit; 
a^memory. integrated circuit;~and 
a bus'coupled to both the logic integrated circuit and the 
memory integrated circuit. 

8. The electronic system of claim 7. wherein the memory 
integrated circuit contains at least one instruction needed for 
execution by the host processor during a boot procedure of 
the electronic system. 

9. The electronic system of claim 7, wherein the security 
processor is placed in an operative state in response to the 
system power-on reset signal. 

10. An electronic system comprising: 
power means for transmitting a power-on reset signal at 

power-up of the electronic system; 
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processor means for executing a plurality of instructions; 
and 

deactivation means for preventing the processor means 
from obtaining a plurality of boot instructions in 
response to receipt of the system power-on reset signal 
from the power means and for continuously providing 
an active reset signal that places the processor means in 
an inoperative state immediately after power-up of the 
electronic system until a user of the electronic system 
Ls recognized, the deactivation means being coupled to 
the processor means and the power means. 

11. An electronic system comprising: 
a host processor; and 

a deactivation circuit coupled to the host processor, the 
deactivation circuit to (1) place the host processor in an 
inoperative state immediately after a system power-on 
reset signal is initiated in order to prevent the host 
processor from receiving any basic input output system 
(BIOS) instructions until a user of the electronic system 
is recognized by comparing the input data with data 
preloaded for use in identifying one or more authorized 
users, and (2) store BIOS instructions fetched by the 
host processor after the user is recognized. 

12. The electronic system of claim 11, wherein the Basic 
Input/Output System (BIOS) instructions are required dur- 
ing a boot procedure of the electronic system. 

13. A method for ensuring security of an electronic 
system, the method comprising: 

placing a host processor in an inoperative state after 
power-on, which prevents the host processor from 
fetching any basic input output system (BIOS) 
instructions, by configuring a deactivation circuit to 
continuously output an active RESET signal to the host 
processor; 

determining whether an intended user of the electronic 
system is recognized as an authorized user of the 
electronic system; 

continuing to maintain the host processor in the inopera- 
tive state until the user is recognized as the authorized 
user; and 

placing the host processor in an operative state when the 
user is recognized as the authorized user. 

14. The method of claim 13, wherein the determining on 
whether the intended user is the authorized user includes: 

receiving input data associated with the intended user; and 
comparing the input data with character data of the 

authorized user provided prior to receiving the input 

data. 

15. The method of claim 14, wherein the placing of the 
host processor in the operative state includes allowing 
access to a plurality of boot instructions by the host proces- 
sor. 

16. The method of claim 13, wherein the deactivation 
circuit includes a security processor and a power-on reset 
circuit, the power-on reset circuit signals the security pro- 
cessor to generate the active RESET signal in response to a 
power-up condition. 

17. The method of claim 13, wherein the placing of the 
host processor in the operative state includes allowing the 
host processor to fetch BIOS instructions stored in the 
deactivation circuit. 
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